b'                       u.s. SMALL BUSINESS ADMINISTRATION\n                           OFFICE OF INSPECTOR GENERAL\n                                AUDITING DIVISION\n\n                                                               AUDIT REPORT\n                                                      Issue Date: November 12, 2010\n\n                                                      Number: 11-03\n\nTo:           Jonathan I. Carver\n              Chief Financial Officer,\n              lsi Original Signed\nFrom:         Debra S:-Ritt .\n              Assistant Inspector General for Auditing.\n\nSubject:      Audit ofSBA\'s FY 2010 Financial Statements\n\n\nPursuant to the Chief Financial Officer\'s Act of 1990, attached is a copy of the\nIndependent Auditors\' Report issued by KPMG LLP on the Small Business\nAdministration\'s financial statements for the fiscal year ended September 30,2010. The\naudit was performed under a contract with the Office of Inspector General (OIG) and in\naccordance with Generally Accepted Government Auditing Standards; Office of\nManagement and Budget\'s (OMB) Bulletin 07-04, Audit Requirementsfor Federal\nFinancial Statements, as amended; the Government Accountability Office\n(GAO)lPresident\'s Council on Integrity and Efficiency (pCIE) Financial Audit Manual; and\nGAO\'s. Federal Information System Controls Audit Manual.\n\nThe KPMG report concluded that SBA\'s consolidated financial statements presented fairly,\nin all material respects, the financial position of SBA as of and for the years ended\nSeptember 30, 2010 and 2009. It also presented fairly, in all material respects, SBA\'s net\ncosts, changes in net position, and combined statements of budgetary resources for the years\nthen ended.\n\nWith respect to internal controls, KPMG continued to report a significant deficiency related\nto Information Technology security controls. Details regarding the matters that led to the\nauditor\'s conclusion on internal controls are further discussed in Exhibit I of the\nIndependent Auditors\' Report. KPMG\'s test for compliance with certain laws, regulations,\ncontracts and grant agreements determined that the Agency did not fully comply with the\nDebt Collection Improvement Act of 1996 because guidelines regarding referrals of\ndelinquent debt for Treasury cross-servicing and offset were not consistently followed.\nDetails regarding the auditor\'s conclusion are included in the "Compliance and Other\nMatters" section of the Independent Auditors\' Report. The auditors did not report any other\ninstances or matters regarding noncompliance.\n\nWe provided a draft ofKPMG\'s report to SBA\'s Chief Financial Officer (CFO), who\nconcurred with its findings and recommendations and agreed to implement the\nrecommendations. The CFO is delighted that SBA has again received an unqualified\n\x0caudit opinion and believes these results accurately reflect the quality of the Agency\'s\nfinancial statements and its improved accounting, budgeting and reporting processes.\n\nWe reviewed a copy ofKPMG\'s report and related documentation and made necessary\ninquiries of their respective representatives. Our review was not intended to enable us to\nexpress, and we do not express, an opinion on the SBA\'s financial statements, KPMG\'s\nconclusions about the effectiveness of internal control, or its conclusions about SBA\'s\ncompliance with laws and regulations. However, our review disclosed no instances where\nKPMG did not comply, in all material respects, with Generally Accepted Government\nAuditing Standards.\n\nWe appreciate the cooperation and assistance of SBA and KPMG. Should you or your staff\nhave any questions, please contact me at (202) 205_[FOIAeX2br Jeffrey R. Brindle, Director,\nInformation Technology and Financial Management Group at (202) 205- [FOIAex.2]\n\nAttachment\n\x0c                               KPMG LLP\n                               2001 M Street, NW\n                               Washington, DC 20036-3389\n\n\n\n\n                                         Independent Auditors\' Report\n\n\nOffice of Inspector General,\nU.S. Small Business Administration:\n\nWe have audited the accompanying consolidated balance sheets ofthe U.S. Small Business Administration\n(SBA) as of September 30, 2010 and 2009, and the related consolidated statements of net cost and changes\nin net position, and combined statements of budgetary resources (hereinafter referred to as "consolidated\nfinancial statements") for the years then ended. The objective of our audits was to express an opinion on\nthe fair presentation of these consolidated financial statements. In connection with our Fiscal Year (FY)\n2010 audit, we also considered SBA\'s internal control over financial reporting and tested SBA\'s\ncompliance with certain provisions of applicable laws, regulations, contracts, and grant agreements that\ncould have a direct and material effect on these consolidated financial statements.\n\nSummary\nAs stated in our opinion on the consolidated financial statements, we concluded that SBA\'s consolidated\nfinancial statements as of and for the years ended September 30, 2010 and 2009, are presented fairly, in all\nmaterial respects, in conformity with U.S. generally accepted accounting principles.\n\nOur consideration of internal control over financial reporting resulted in identifying certain deficiencies\nthat we consider to be a significant deficiency, as defined in the Internal Control Over Financial Reporting\nsection ofthis report, as follows:\n\nImprovement Needed in Iriformation Technology (IT) Security Controls\n\nWe did not identify any deficiencies in internal control over financial reporting that we consider to be\nmaterial weaknesses as defined in the Internal Control Over Financial Reporting section of this report.\n\nThe results of our tests of compliance with certain provisions of laws, regulations, contracts, and grant\nagreements disclosed one instance of noncompliance that is required to be reported under Government\nAuditing Standards , issued by the Comptroller General of the United States, and Office of Management\nand Budget (OMB) Bulletin No. 07-04, Audit Requirements for Federal Financial Statements , as amended.\n\nNoncompliance with the Debt Collection Improvement Act\n\nThe following sections discuss our opinion on SBA\' s consolidated fmancial statements; our consideration\nof SBA\'s internal control over financial reporting; our tests of SBA\'s compliance with certain provisions\nof applicable laws, regulations, contracts, and grant agreements; and management\'s and our\nresponsibilities.\n\n\n\n\n                                KPMG LLP is a Delawa re limited liability partnership,\n                                the U. S. member firm of KPMG International Cooperative\n                                (~ KPM G International"), a Swiss entity.\n\x0cu.s. Small Business Administration\nNovember 12, 2010\nPage 2 of4\n\n\nOpinion on the Financial Statements\nWe have audited the accompanying consolidated balance sheets of SBA as of September 30, 2010 and\n2009, and the related consolidated statements of net cost and changes in net position, and the combined\nstatements of budgetary resources for the years then ended.\n\nIn our opinion, the consolidated financial statements referred to above present fairly, in all material\nrespects, the financial position of SBA as of September 30, 2010 and 2009, and its net costs, changes in net\nposition, and budgetary resources for the years then ended, in conformity with U.S. generally accepted\naccounting principles.\n\nThe information in the Management\'s Discussion and Analysis, Required Supplementary Information, and\nRequired Supplementary Stewardship Information sections is not a required part of the consolidated\nfinancial statements, but is supplementary information required by U.S. generally accepted accounting\nprinciples. We have applied certain limited procedures, which consisted principally of inquiries of\nmanagement regarding the methods of measurement and presentation of this information. However, we did\nnot audit this information and, accordingly, we express no opinion on it.\n\nInternal Control Over Financial Reporting\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions , to prevent, or\ndetect and correct misstatements on a timely basis. A material weakness is a deficiency, or a combination\nof deficiencies, in internal control such that there is a reasonable possibility that a material misstatement of\nthe entity\'s financial statements will not be prevented, or detected and corrected on a timely basis.\n\nOur consideration of internal control over financial reporting was for the limited purpose described in the\nResponsibilities section of this report and was not designed to identify all deficiencies in internal control\nover financial reporting that might be deficiencies, significant deficiencies, or material weaknesses. In our\nFY 2010 audit, we did not identify any deficiencies in internal control over financial reporting that we\nconsider to be material weaknesses, as defined above. However, we identified a deficiency in internal\ncontrol over fmancial reporting described in Exhibit I that we consider to be a significant deficiency in\ninternal control over financial reporting. A significant deficiency is a deficiency, or a combination of\ndeficiencies, in internal control that is less severe than a material weakness, yet important enough to merit\nattention by those charged with governance.\n\nExhibit II presents the status of the prior year material weakness, and Exhibit III presents the status of the\nprior year significant deficiency.\n\nWe noted certain additional matters that we have reported to management of SBA in a separate letter dated\nNovember 12, 2010.\n\nCompliance and Other Matters\nThe results of certain of our tests of compliance as described in the Responsibilities section of this report,\nexclusive of those referred to in the Federal Financial Management Improvement Act of 1996 (FFMIA),\ndisclosed one instance of noncompliance that is required to be reported herein under Government Auditing\nStandards or OMB Bulletin No. 07-04, and is described below.\n\x0cu.s. Small Business Administration\nNovember 12, 2010\nPage 3 of4\n\n\nDebt Collection Improvement Act of 1996 (DCIA). During our testwork over loan charge-offs, we noted\nSBA did not refer loans to Treasury for cross-servicing in accordance with the DCIA. Specifically, we\nnoted ten loan charge-off transactions that were not referred to Treasury for cross-servicing. Two of the ten\nloans were loan guaranties that were not referred at time of charge-off. The remaining eight loans were not\nreferred due to outdated referral system programming logic which prevented the automatic referral of\ncharged-off loans to Treasury. Through additional research covering the population of Disaster loans\ncharged-off during FY 2010, SBA identified a total of 473 disaster loans that were not referred for cross\xc2\xad\nservicing. Of the 473 loans identified, 334 loans were not referred due to the referral dates being out of the\nsystem range parameter; thus preventing the system from transmitting the loan referrals to Treasury. SBA\nwas unable to determine why the remaining 139 charged-off loans were not referred. According to SBA\nmanagement, efforts are underway to address the issues noted which caused the system errors. Further,\nSBA management agreed to perform an analysis of Disaster loans charged-off in prior years to identify and\ncorrect potential additional issues of noncompliance. Exhibit IV presents the status of the prior year\nnoncompliance finding.\n\nThe results of our other tests of compliance as described in the Responsibilities section of this report,\nexclusive of those referred to in FFMIA, disclosed no instances of noncompliance or other matters that are\nrequired to be reported herein under Government Auditing Standards or OMB Bulletin No. 07-04.\n\nThe results of our tests of FFMIA disclosed no instances in which SBA\'s financial management systems\ndid not substantially comply with (1) Federal financial management systems requirements, (2) applicable\nFederal accounting standards, and (3) the United States Government Standard General Ledger at the\ntransaction level.\n\n                                                *******\nResponsibilities\nManagement\'s Responsibilities. Management is responsible for the consolidated financial statements;\nestablishing and maintaining effective internal control; and complying with laws, regulations, contracts,\nand grant agreements applicable to SBA.\n\nAuditors\' Responsibilities. Our responsibility is to express an OpInIOn on the FY 2010 and 2009\nconsolidated financial statements of SBA based on our audits. We conducted our audits in accordance with\nauditing standards generally accepted in the United States of America; the standards applicable to financial\naudits contained in Government Auditing Standards , issued by the Comptroller General of the United\nStates; and OMB Bulletin No. 07-04. Those standards and OMB Bulletin No. 07-04 require that we plan\nand perform the audits to obtain reasonable assurance about whether the consolidated financial statements\nare free of material misstatement. An audit includes consideration of internal control over financial\nreporting as a basis for designing audit procedures that are appropriate in the circumstances, but not for the\npurpose of expressing an opinion on the effectiveness of SBA\'s internal control over financial reporting.\nAccordingly, we express no such opinion.\n\x0cu.s. Small Business Administration\nNovember 12, 2010\nPage 4 of4\n\n\nAn audit also includes:\n\n\xe2\x80\xa2\t    Examining, on a test basis, evidence supporting the amounts and disclosures in the consolidated\n      financial statements;\n\xe2\x80\xa2\t    Assessing the accounting principles used and significant estimates made by management; and\n\xe2\x80\xa2\t    Evaluating the overall consolidated financial statement presentation.\n\nWe believe that our audits provide a reasonable basis for our opinion.\n\nIn planning and performing our FY 2010 audit, we considered the SBA\'s internal control over financial\nreporting by obtaining an understanding of SBA\'s internal control, determining whether internal controls\nhad been placed in operation, assessing control risk, and performing tests of controls as a basis for\ndesigning our auditing procedures for the purpose of expressing our opinion on the consolidated financial\nstatements, but not for the purpose of expressing an opinion on the effectiveness of SBA\'s internal control\nover fmancial reporting. Accordingly, we do not express an opinion on the effectiveness of SBA\'s internal\ncontrol over financial reporting. We did not test all controls relevant to operating objectives as broadly\ndefmed by the Federal Managers\' Financial Integrity Act of 1982.\n\nAs part of obtaining reasonable assurance about whether SBA\'s FY 2010 consolidated financial statements\nare free of material misstatement, we performed tests of SBA\'s compliance with certain provisions oflaws,\nregulations, contracts, and grant agreements, noncompliance with which could have a direct and material\neffect on the determination of the consolidated financial statement amounts, and certain provisions of other\nlaws and regulations specified in OMB Bulletin No. 07-04, including the provisions referred to in Section\n803(a) of FFMIA. We limited our tests of compliance to the provisions described in the preceding\nsentence, and we did not test compliance with all laws, regulations, contracts, and grant agreements\napplicable to SBA. However, providing an opinion on compliance with laws, regulations, contracts, and\ngrant agreements was not an objective of our audit and, accordingly, we do not express such an opinion.\n\n                                               *******\nSBA\'s response to the findings identified in our audit are presented in Exhibit V. We did not audit SBA\'s\nresponse and, accordingly, we express no opinion on it.\n\nThis report is intended solely for the information and use of SBA\'s management, SBA\'s Office of\nInspector General, OMB, the U.S . Government Accountability Office, and the U.S. Congress and is not\nintended to be and should not be used by anyone other than these specified parties.\n\n\n\n\nNovember 12, 2010\n\x0c                                                                                                      Exhibit I\n                                     u.s. Small Business Administration\n                                             Significant Deficiency\n\n\nThe significant deficiency identified for the year ended September 30, 2010, is summarized below:\n\n(1) Improvement Needed in Information Technology (IT) Security Controls\n\nWe made many recommendations to address IT weaknesses identified during the Fiscal Year (FY) 2009 SBA\naudit. Although SBA has made some progress related to the FY 2009 weaknesses, improvements are still\nnecessary. During FY 2010, we noted additional weaknesses in security access controls, including configuration\nand patch management, and segregation of duties. We are not providing details in this report on the specific\nweaknesses due to their sensitivity, but we have provided the details under a separate cover to SBA management.\n\nSecurity Access Controls\n\nIntegral to an organization\'s security program management efforts, system security access controls should\nprovide reasonable assurance that IT resources, such as data files , application programs, and IT -related\nfacilities/equipment, are protected against unauthorized modification, disclosure, loss, or impairment.\n\nA summary of the security access weaknesses we identified during the FY 2010 SBA financial statement audit\nfollows:\n\xe2\x80\xa2 \t We identified several high and medium risk security vulnerabilities affecting various financial systems. We\n    provided the detailed vulnerabilities to SBA management.\n\n\xe2\x80\xa2 \t We identified weaknesses in network access controls.\n\n\xe2\x80\xa2 \t We noted several high and medium risk security vulnerabilities affecting another key financial system, which\n    is hosted by an SBA service provider. Although the service provider was monitoring the vulnerabilities and a\n    plan to mitigate such weaknesses was developed, it was not implemented at the time of our review.\n\n\xe2\x80\xa2 \t We identified system patches that were not applied in a timely manner to a key financial system. Based on\n    review of the Plan of Actions and Milestones (POA&M) for the system, we could not determine whether\n    corrective actions were made timely.\n\n\xe2\x80\xa2 \t Password configuration settings for two key financial systems need improvement. We noted that one\n    financial system did not enforce user password history, password complexity or account lockout after a\n    specified number of failed login attempts. Another key financial system did not enforce password history,\n    password complexity, password changes after 90 days, or account lockout after a specified number of failed\n    login attempts. In addition, we found that password length settings are not compliant with SBA Standard\n    Operating Procedure (SOP) 90.47.2, Automated Information Systems Security Program.\n\n\xe2\x80\xa2 \t Physical access control procedures are not current and have not been implemented at one SBA location.\n\n\xe2\x80\xa2 \t Several users have unnecessary access to a SBA financial subsystem.\n\n\xe2\x80\xa2 \t User accounts are not periodically reviewed for three key financial systems.\n\n\xe2\x80\xa2 \t There are weak controls over the monitoring and review of audit logs for four of seven systems we reviewed.\n\n                                                      1-1 \n\n\x0c                                                                                                          Exhibit I\n                                       u.s. Small Business Administration\n                                               Significant Deficiency\n\n\nRecommendations - Security Access Controls:\n\nWe recommend that the ChiefInformation Officer (CIO) coordinate with SBA program offices to:\n\n1. \t Improve the vulnerability tracking and monitoring process to fully address high and medium risk\n     vulnerabilities for key financial systems. Ensure that the vulnerability reports are reviewed and analyzed on a\n     regular basis. Periodically monitor the existence of necessary services and protocols running on servers and\n     network devices. Develop a more thorough approach to track and mitigate patch management and\n     configuration management vulnerabilities identified during monthly scans.\n\n2. \t Prevent users from anonymously connecting unauthorized devices by developing and implementing\n     procedures to ensure mandatory domain authentication for IP address issuance.\n\n3. \t Improve the POA&M review and approval process for key financial systems. In addition, include all\n     unresolved weaknesses on the POA&M (including vulnerabilities identified at service providers).\n\n4. \t Enforce financial system password controls for System Administrators and Database Administrators (DBAs)\n     and physical access controls in accordance with SBA SOP 90.47.2.\n\n5. \t Develop and implement procedures for user access reviews to ensure that proper access rights are set for\n     financial subsystems.\n\n6. \t Oversee the review and validation of financial system accounts on a periodic basis.\n\n7. \t Implement a process to monitor the audit logs of all financial applications on a regular basis.\n\nSegregation ofDuties\nThe primary focus of an organization\'s segregation of duties controls is to provide reasonable assurance that\nincompatible duties are effectively segregated. Without such controls, there is a risk that unauthorized changes\ncould be implemented into the IT environment, and users may have access that is inappropriate for their duties.\nAs a result, the confidentiality, integrity, and availability of financial data are at risk of possible loss,\nmodification, or disclosure.\n\nA summary of the segregation of duties control deficiencies we identified during the FY 2010 SBA financial\nstatement audit follows:\n\n\xe2\x80\xa2 \t Application programmers for a key financial system have the ability to make changes and implement the\n    changes into the production environment.\n\n\xe2\x80\xa2 \t Access to the development and production libraries of a key financial system is not restricted based on job\n    role/functions or privileges.\n\n\xe2\x80\xa2 \t Certain Information Security staff and DBAs have incompatible access privileges for a financial system,\n    which enable them to perform the user administration functions (i.e., grant any role, create user, become user,\n    alter user, or drop user). We determined that compensating IT controls are not in place to mitigate this\n    weakness.\n                                                     1-2\n\x0c                                                                                                          Exhibit I\n                                      u.s. Small Business Administration\n                                              Significant Deficiency\n\n\nRecommendations - Segregation of Duties:\n\nWe recommend the Chief Financial Officer:\n\n8. \tImplement procedures and conduct audits of financial system software changes to ensure all changes are\n    sufficiently approved and tested.\n\nWe also recommend the CIO:\n\n9. \t Restrict access to software program libraries based on the principle ofleast privilege, and periodically review\n     access to the libraries.\n\n10. Separate user and data administration functions for financial systems, or implement compensating IT controls\n    such as management review of user administration functions.\n\nSecurity Management\nAn entity-wide information security management program is the foundation of a security control structure and a\nreflection of senior management\'s commitment to addressing security risks. This security management program\nshould establish a framework, and continuous cycle of activity for assessing risk, developing and implementing\neffective security procedures, and monitoring the effectiveness of these procedures.\nA summary of the security management weaknesses we identified during the FY 2010 SBA financial statement\naudit follows:\n\n\xe2\x80\xa2 \t A mandatory training program for IT security personnel has not been implemented.\n\n\xe2\x80\xa2 \t We could not obtain sufficient evidence that media was sanitized properly in accordance with SBA policy.\n\n\xe2\x80\xa2 \t SBA implemented end-user security policies and procedures in May 2010, but the policies were not\n    implemented during FY 2010.\n\nRecommendations - Security Management:\n\nWe recommend the CIO:\n\n11 . Develop a comprehensive security education and training program for all IT security personnel and a method\n     for monitoring the training program.\n\n12. Implement and enforce the procedures documented in SOP 90.47.2 for sanitizing media to be disposed and\n    for maintaining a log of employees who sanitize media to validate the appropriateness of the sanitization\n    process.\n\n13 . Coordinate with program offices using end-user programs contammg sensItIve data, such as Personally\n     Identifiable Information and financial data, to implement end-user computing procedures in accordance with\n     the guidance.\n\n\n\n                                                       1-3\n\x0c                                                                                                         Exhibit I\n                                      u.s. Small Business Administration\n                                              Significant Deficiency\n\n\nSoftware Configuration Management\n\nThe primary focus of an organization\'s software configuration management process is to control the software\nchanges made to networks and systems. Without such controls, there is a risk that security features could be\ninadvertently, or deliberately, omitted or turned off, or that processing irregularities or malicious code could be\nintroduced into the IT environment.\n\nA summary of the configuration management weaknesses we identified during the FY 2010 SBA financial\nstatement audit follows:\n\n\xe2\x80\xa2 \t The configuration management process is not centralized, and the Enterprise Change Control Board\n    governance processes are not fully implemented across SBA.\n\n\xe2\x80\xa2 \t SBA personnel could not provide sufficient evidence to support software change authorizations for several\n    financial systems.\n\nRecommendations - Software Configuration Management:\n\nWe recommend the CIO:\n\n14. Enforce an organization-wide configuration management process, to include policies and procedures for\n    maintaining documentation that supports testing and approvals of software changes.\n\n\n\n\n                                                       1-4 \n\n\x0c                                                                                                          Exhibit II\n                                     u.s. Small Business Administration\n                                    Status of Prior Year Material Weakness\n\n\nFiscal Year 2009 Finding                                  Fiscal Year 2010 Status of Finding\n\nDuring Fiscal Year (FY) 2009, we reported a material      During FY 2010, SBA made significant operational\nweakness in internal control related to SBA\'s financial   improvements over the controls surrounding the year\xc2\xad\nreporting.                                                end financial reporting process. These improvements\n                                                          included automating previously manual processes and\n                                                          .       .\n                                                          mcreasmg the level of financial statement review\n                                                          performed by personnel within the Office of the Chief\n                                                          Financial Officer. In addition, our testwork did not\n                                                          identify any significant misstatements in FY 2010.\n\n                                                          Therefore, in FY 2010, this matter is closed.\n\n\n\n\n                                                      II-I \n\n\x0c                                                                                                Exhibit III\n                                 u.s. Small Business Administration\n                               Status of Prior Year Significant Deficiency\n\n\nFiscal Year 2009 Finding                              Fiscal Year 2010 Status of Finding\n\nImprovement Needed In Information Technology (IT)     During our review of SBA\'s IT general and application\nSecurity Controls                                     controls, we noted minimal improvements made to\n                                                      address pnor year findings. Therefore, control\n                                                      deficiencies continue to exist.\n\n                                                     Therefore, in fiscal year 2010, the presentation of the\n                                                     issue was modified to reflect current year operations,\n                                                     and we continue to report a significant deficiency in\n                                                     internal controls as it relates to IT systems and their\n                                                     impact on the consolidated financial statements. See\n                                                     Exhibit I for additional information.\n\n\n\n\n                                                  III-I \n\n\x0c                                                                                                  Exhibit IV\n                                    u.s. Small Business Administration\n                                     Status of Prior Year Noncompliance\n\n\nFiscal Year 2009 Finding                                Fiscal Year 2010 Status of Finding\n\nDebt Collection Improvement Act of 1996 (DCIA)           During our review over SBA\'s compliance with the\n                                                         DCIA, we noted improvements made III SBA\'s\nDuring our Fiscal Year (FY) 2009 audit, as stated in its Treasury offset and cross-servicing referral process.\nFederal Managers\' Financial Integrity Act (FMFIA) However, during FY 2010 we noted instances of\nAssurance Statement, SBA management reported the noncompliance related to timely referrals of loan\nagency was noncompliant with the DCIA in FY 2009. charge-offs to Treasury for cross-servicing.\nThe noncompliance was due to instances where SBA\ndid not refer a substantial number of charged off loans Therefore, in FY 2010, the issue is again presented in\nto Treasury for offset and cross servicing.              the Compliance and Other Matters section of our\n                                                         Independent Auditors\' Report.\n\n\n\n\n                                                     IV-l\n\x0c                                                                                         Exhibit V\n\n\n                    u.s.   SMALL BUSINESS AOMINISTRATION\n                             WASHINGTON. D.C. 20416\n\n\n\n\nDATE:           November 12, 2010\n\nTO:             Debra Ritt, AssisAlant IG for Auditing\n                               [FOIA ex. 6]\nFROM:           Jonathan CarYN. Chief Finantiai Officer\n\nSUBJECT:        Draft Audit Report on FY 2010 Financial Statements\n\nThe Small Business Administration is in receipt of the draft Independent Auditors\' Report from\nKPMG that includes the auditor\'s opinion on the financial statements and review of the Agency\'s\ninternal control over financial reporting and compliance with laws and regulations. The\nindependent audit of the Agency\'s financial statements and related processes is a core\ncomponent of SBA\'s financial management program.\n\nWe are delighted that the SBA has again received an unqualified audit opinion from the\nindependent auditor with no reported material weaknesses. We believe these results accurately\nreflect the quality of the Agency\'s financial statements and our improved accounting, budgeting\nand reporting processes. As you know, the SBA has worked hard over the past several years to\naddress the findings from our independent auditors. Our core financial reporting data and\nprocesses have improved substantially, and we are proud that the results of our efforts have been\nconfirmed by the independent auditor.\n\nThe audit report includes a continuing significant deficiency in SBA\'s information technology\ncontrols. As the auditors noted in their report on the 2010 financial statements, the SBA made\nsubstantial progress in resolving IT deficiencies. The SBA will continue to improve the Agency\'s\nIT security during the upcoming fiscal year. The SBA is developing plans to track, monitor, and\naggressively mitigate vulnerabilities in all Agency systems. Furthermore, the SBA will clarify and\nstrengthen detailed procedures required to ensure security access controls are in place to protect\nSBA data from unauthorized modification, disclosure, and loss.\n\nThe audit report identified one instance of non-compliance with applicable laws and regulations\nas of September 30,2010. Due to a system error, 473 of 8,229 charged off disaster loans, or 5.7\npercent. were not referred to Treasury for cross-servicing and for the Treasury offset as required\nby the Debt Collection Improvement Act. This represents $11.3 million of the $247.5 million\ndisaster loans written-off in FY 2010, or 4.6 percent. The system issue has been identified and is\nin the process of being remedied, and a mitigation plan has been developed to ensure that this\nissue will not recur. All loans eligible for Treasury referral will be referred within the next six\nmonths. In FY2009, through the SBA\'s self-assessment process it was identified that the agency\nwas not referring non-disaster loans for the Treasury off-set program; this was corrected in\nFY2010. There were no issues identified in the testing of the improved internal controls over non\xc2\xad\ndisaster loans by both our independent auditors and our OMB A-123 team in the current year,\nand we antiCipate the same successful resolution for the disaster loans in FY 2011.\n\nWe appreciate all of your efforts and those of your colleagues in the Office of the Inspector\nGeneral as well as those of KPMG. The independent audit process continues to provide us with\nnew insights and valuable recommendations that will further enhance SBA\'s financial\n\x0c                                                                                  Exhibit V\n\n\nmanagement practices. We continue to be committed to excellence in financial management and\nlook forward to making more progress in the coming year.\n\x0c'